Update: Canadian student expelled for playing security “white hat”

An online petition drive launched to reinstate Ahmed Al-Khabaz, a student expelled from Dawson College after running security scans on a student information system that exposed major weaknesses.

This story has been updated with additional information from Dawson College

A 20-year-old Canadian computer science student has become, depending on your point of view, a martyr for computer security or a cautionary tale for students and others who take an interest in exposing security flaws in software products. While Ahmed Al-Khabaz said he felt he had a "moral duty" to probe the security of a student information system used by over 250,000 students, the school's administration said his acts were a "serious professional conduct issue" and expelled him. Now, fellow students are demanding his reinstatement, and the college and its software provider are facing a publicity and security backlash.

Al-Khabaz and another student reported finding a security flaw in the mobile application for Omnivox, a Web-based software package developed by Montreal-based Skytech Communications that is used by students to access and manage their personal information and college services—including their Social Insurance numbers, the Canadian equivalent of US Social Security numbers.

Omnivox is used widely by Quebec's general and vocational colleges. Al-Khabaz told the National Post that the software had "sloppy coding" that allowed anyone "with basic knowledge of computers to gain access to the personal information of any student"—including virtually all of the personal data the college had collected on them. Al-Khabaz and fellow student Ovidiu Mija found the flaw by running Acuntetix, a web site security scanning tool.

When Al-Khabaz and Mija reported the problem to the school's director of Information Services and Technology, Al-Khabaz claimed they were initially congratulated for finding the flaw and were told it would be fixed immediately. But it was Al-Khabaz' next step that landed him in trouble with the school. Two days later, he decided to check to see if the flaw had indeed been fixed, running the scanning software again.

Acunetix provides a free trial download of its software for checking against cross-site scripting (XSS) attacks; the complete tool can perform deeper vulnerability scans against websites. Both, however, are intended primarily for use during off-line software testing, and not on live sites—in its full version, Acunetix crawls the entire target site checking for vulnerabilities and document error messages for signs of potential attack paths.

Al-Khabaz told the National Post that moments after he ran the scan, Skytech's president Edouard Taza called him on his home phone, telling him it was the second time that the company had seen his activities in their log files, and that what he was doing was considered a cyber-attack. Al-Khabaz claimed that Taza threatened prosecution if he did not meet with him and sign a nondisclosure agreement. Taza confirmed the conversation to the Post but denied he made threats; Skytech executives did not respond to Ars' request for comments.

The use of the scanning software against an active site, even in its limited trial form, is at best a mistake, said Acunetix Director of Sales Chris Martin in an interview with Ars. "We go to great lengths to stress to users not to use Acunetix WVS on live websites, but on offline copies of those Web application setups to avoid these situations," he told us. "This is clearly stated in our manual as well as in prominent guideline advisories on our website."

While Skytech saw the probe by Al-Khabaz as the mistake of an overeager student, Dawson College administrators decided to take disciplinary action. After he was interviewed by the dean of Dawson and his Computer Science program coordinator, the details were brought to a meeting of 15 professors in the school's Computer Science department. By a 14-to-1 vote, they moved to expel him.

That move was denounced by the Dawson Student Union as an attempt to sweep the security problems under the rug. In a statement, the Student Union's officers said, "Though he offered to assist Skytech to fix malfunctions that could lead to the theft (of student information), Al-Khabaz’s goodwill was rejected and he was instead greeted with increased hostility, character accusations and legal threats." And an on-line petition drive is underway to have Al-Khabaz (also known as Hamed) reinstated at Dawson, called HamedHelped, is underway.

But the college, through its Facebook page, denied that the expulsion was motivated by a desire to conceal the risk to students' data. "We’re in the delicate position of trying to respond to every claim and accusation without breaking the law that forbids us from discussing your personal student files with the media or anyone else, for that matter," the Dawson College statement read. "We cannot violate the privacy of our students, even when they go public with their version of what happened."

In a statement posted to the college's website, the school implied that Al-Khabaz had been previously warned off his actions, and despite that warning went back again and ran the site scanner. "The reasons cited in the National Post article for which the student was expelled are inaccurate," the college administration's statement read. "The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student."

One of Al-Khabaz's former instructors went further, writing a letter to the Montreal Gazette on the matter, mocking the media for painting an unfair picture of the college's actions. "I can tell you that our Computer Science program, like virtually all professional programs, has a professional conduct policy that lays out expectations that our students must meet, in addition to purely academic requirements," wrote Alex Simonelis, a member of the faculty of Dawson College's Computer Science Department.

"The media need to fill in some blanks in their accounts," Simonelis continued. "Exactly how did the student “stumble upon” the flaw? Was it by running intrusion tests against Skytech’s website? If so, did he have Skytech’s permission to do so, given that it is unacceptable to do so otherwise? Was the student given a cease-and-desist warning regarding such actions by our college’s administration? After informing our college of the flaws, and being invited to demonstrate them at the college on a specific date, did the student sign an agreement not to run further intrusion tests against Skytech? Did the student run such an intrusion test again, after the warning/signing? Did the student have a hearing with our department chair and dean? I believe I know the answers to those questions, but I could be wrong, and so would really appreciate any correction the media provide."

Skytech has responded to the backlash by trying to reach out to Al-Khabaz and help him continue his studies. On January 21, Taza told the CBC that he was offering Al-Khabaz a part-time job and a scholarship to continue pursuing his degree at a private college. Apparently, news of that offer didn't calm the backlash—for much of Monday, Skytech's website and the site of Dawson College were both unreachable, apparently due to a denial of service attack. Both sites are now back online.

Is there possibly more to this story than what is written here? Of course, I would expect knee-jerk reactions to "hacking" from certain school administrators, but when I read that 14 out of 15 CS professors in a board setting voted to expel him, I had second thoughts.

CS professors aren't idiots; these people actually understand what the guy did, the implications of it, and his possible motivations. Why would they vote to expel him without good reason??

Is there possibly more to this story than what is written here? Of course, I would expect knee-jerk reactions to "hacking" from certain school administrators, but when I read that 14 out of 15 CS professors in a board setting voted to expel him, I had second thoughts.

CS professors aren't idiots; these people actually understand what the guy did, the implications of it, and his possible motivations. Why would they vote to expel him without good reason??

Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty.

Talk about a no-win situation. I don't know why anyone would want to attend a college that treated its students so unfairly (not allowing him an opportunity to be confronted by his accusers, defend himself to those who voted on his expulsion, lacking a meaningful appeals process). So not going back there could be considered a good thing, but it seems like the expulsion itself is going to prevent his admission to a better run institution. I guess the best one could do in this situation is to get back into Dawson, make sure his transcript looks appropriate, and transfer.

This is moronic on so many levels. First of all, aren't educational establishments supposed to foster and reward curiosity? Second, do they really think nobody else is scanning them *with the exact same tool* and that if it weren't for him there would be no problem? If so, they should immediately disconnect from the internet.

This is why I say no to "patient portals" at doctor's offices, or rent pay and maintenance request portal at my apt building, or the car dealer service dept portal, and so on and so forth. Hardly any of these systems have been coded by competent developers, and with first and foremost security in mind. And if they haven't, then yes in fact they are almost certainly going to be easily hackable.

The only online presence I sort of trust is my bank's (online banking), but that's because their systems are old mainframes running Cobol and the kids that do all the hacking don't know what to do with them.

I think it's pretty silly to get worked up about this when you've only heard his side of the story. The University has it's hands tied as they can't discuss the case.

If you look at this objectively, he did get a chance to "explain himself" to the Dean of the CS department. He then took the matter to disciplinary board and they overwhelming voted to boot him.

Also, in all Universities that I've known, the administration (which administers the school) is usually separate from (and often at odds with) the faculty. So I can't see the faculty circling the wagons to protect the administration's outsourced information system.

This story doesn't pass the sniff test. If I were a betting man, I would guess he accessed some information he shouldn't have and shared it publicly and not for the white hat reasons he states.

Of course, this is just based on my life's experiences, I don't know what happened here. Which is my point, you don't either.

Good will or not, the questions are simple enough:How far did he get into a system he was not supposed to?How much "damage" (ie downtime, it work, etc) did he do to the system through pen testing it improperly?Companies have a certain period of time to address security issues when they are exposed. it is not 48 hours. And anyone clever enough to find such infractions as are intimated here should know it will take more than 2 days to resolve such issues and keep a coherent system functional. So I personally have a few reservations with taking this story at face value.

New question: if he knew half of this, why was he really in there 2 days later?

These kinds of tools usually submit forms thousands of times with data crafted to expose flaws. Even if you're not open to a vulnerability, you'll probably end up with a whole bunch of junk records in your database.

If the student was a little bit smarter, or responsible, he'd realize that this is why you're not supposed to run such a tool against a live site.

Trying to gain unsolicited access to someone else's computer system is (not unreasonably) against the rules. If he wanted to know if the bug he found was fixed, he could, and should, simply have asked.

The second action was a bit stupid. First off, why couldn't he check for the flaw the same way he did the first time? Unless the story is incomplete and it was the same tool. But still, 2 days is far too short a period, and he should have first followed up by asking whether it had been fixed.

Of course, maybe he decided to exploit it and is trying to cover his ass.

Sure, the schools reaction is moronic, but so is running invasive security probing software on a website that you are not only in some way connected with, but also have only days before TOLD the people who run that website that you're doing so.

Sorry, but I doubt anyone here would react positively to being probed for security exploits by someone without your knowledge, regardless of whether or not the person said "I WAS JUST DOING IT TO MAKE SURE EVERYTHING WAS OK!! I SWEAR!!"

This also seems to fall outside the realm of "whitehat" since he was in no way asked to do this by the school or the company that created the security software.

As a general rule of thumb, you should never run penetration testing tools on websites that you yourself are not directly responsible for.

But then you should also not be required to use such a website if you don't/can't trust its level of security. Since there was no alternative, it is a rightful concern - specially one that is easily demonstrable as well.

If the indeed had wanted to harm the school or students he could have sold /posted the security flaw, it may have been months before the breach was discovered. By the time the flaw was discovered the only article would be about who is at fault.

If I were him I would not sign a NDA from either the school or company unless I was compensated well into the six figure area.

Trying to gain unsolicited access to someone else's computer system is (not unreasonably) against the rules. If he wanted to know if the bug he found was fixed, he could, and should, simply have asked.

The bug affected him also - his own data was exposed. It seems reasonable that he should be able to verify whether the bug had been fixed as he was a victim himself.

Having said that, two days is far too short a time to expect a bug fix, and he should have known that. So I have to wonder if there was more to it. Perhaps he was merely looking for additional problems to report, perhaps it was more nefarious. Regardless, since no harm was done he should receive the benefit of the doubt.

Indoctrination is the process of inculcating ideas, attitudes, cognitive strategies or a professional methodology (see doctrine).[1] It is often distinguished from education by the fact that the indoctrinated person is expected not to question or critically examine the doctrine they have learned

Sure, the schools reaction is moronic, but so is running invasive security probing software on a website that you are not only in some way connected with, but also have only days before TOLD the people who run that website that you're doing so.

Sorry, but I doubt anyone here would react positively to being probed for security exploits by someone without your knowledge, regardless of whether or not the person said "I WAS JUST DOING IT TO MAKE SURE EVERYTHING WAS OK!! I SWEAR!!"

This also seems to fall outside the realm of "whitehat" since he was in no way asked to do this by the school or the company that created the security software.

This line of reasoning would imply that you have to have a license to use particular 'types' of softwares. Both are problematic and undesirable: the requirement for licenses and the categorization of software into 'categories' based on capabilities.

As a user of a system, how or why should you be notified or consequently worry about who else out there runs what kind of software on that system. If it is accessible to a piece of software over its publicly accessible interface (http in this case), then it is a fair use of that 'third party' (conveniently categorized here as the 'scanning') software. The fact that it does scanning as opposed to downloading and printing is irrelevant. It is a capability of that third-party software, not of the system under discussion. The only capability of the system under discussion is that it was found doing what it should not be doing - a flaw, if you will - and that ought to have nothing to do with how and by whom it was discovered.

Now, arguably, you could say that the site could have listed in its TOS that running the 'scanning' type of softwares is not permissible. But since the definition of what constitutes scanning is very much in air and pretty much impossible to pin down; and add to that the concept of intention (hacking vs security-researcher), and you have made a mess of a simple situation.

Ideally, if the company does not want the 'scanning' type of softwares to be run on their systems; they should do a better job of 'describing' the capabilities they assume the 'scanning' softwares imply, and then code their software to deny those requests.

Trying to gain unsolicited access to someone else's computer system is (not unreasonably) against the rules. If he wanted to know if the bug he found was fixed, he could, and should, simply have asked.

Overreacting... maybe, except for the bit of having to pay their IT department or contractor to go in and make sure he didn't botch anything else while he was in there. His actions reek of script kiddiness.

When someone does the wrong thing for the right reason, throwing the book at them is rarely the correct course of action. Academics, CS professors in particular, may have glowing IQs, but they often seem to have some deficiency in the EQ department so 14-to-1 against sounds quite good in that they have at least one professor who is either completely off their rocker or can see the big picture.

The smart thing to do would have been to call in the blighter, explain WHY what he did was wrong, offer him a some training from a REAL white hat and let him figure out how to turn his interest in campus security into an effective tool the school could use, he could later productize, and all the while earning credits (that he'd pay for.)

All that being said, the fact that he went ahead an used a tool meant for offline use on someone else's production site means either he never read the instructions and isn't quite bright enough to figure out the consequences on his own, he understood the consequences but let the earlier commendation embolden him to jump into stupidville, or perhaps his ego got to him and he jump straight on the Zuckerberg express to bastardville.

How did Skytech get his number, or even know it was him "pen testing" without there prior knowledge, and is it only after (or during) that call that he offered to work with them? We are left to figure that the school was quick to contact Skytech, perhaps even passing along an offer/contact info from the student(s) that found problem.

Not sure why the school can't chalk this up as a learning experience since even Skytech didn't press any charges.

Sure, the schools reaction is moronic, but so is running invasive security probing software on a website that you are not only in some way connected with, but also have only days before TOLD the people who run that website that you're doing so.

Sorry, but I doubt anyone here would react positively to being probed for security exploits by someone without your knowledge, regardless of whether or not the person said "I WAS JUST DOING IT TO MAKE SURE EVERYTHING WAS OK!! I SWEAR!!"

This also seems to fall outside the realm of "whitehat" since he was in no way asked to do this by the school or the company that created the security software.

D-do you not know what "white-hat" means? It means that you tell them that you're going to do it, so they don't overreact and cause a fucking shit storm. Fucking duh.

All else aside. No good deed goes unpunished. Leave the kid alone, let him back in school. He's obviously smarter than those responsible for the college's network and those who designed the software. what harm was done? None.

Sure, the schools reaction is moronic, but so is running invasive security probing software on a website that you are not only in some way connected with, but also have only days before TOLD the people who run that website that you're doing so.

Sorry, but I doubt anyone here would react positively to being probed for security exploits by someone without your knowledge, regardless of whether or not the person said "I WAS JUST DOING IT TO MAKE SURE EVERYTHING WAS OK!! I SWEAR!!"

This also seems to fall outside the realm of "whitehat" since he was in no way asked to do this by the school or the company that created the security software.

This line of reasoning would imply that you have to have a license to use particular 'types' of softwares. Both are problematic and undesirable: the requirement for licenses and the categorization of software into 'categories' based on capabilities.

As a user of a system, how or why should you be notified or consequently worry about who else out there runs what kind of software on that system. If it is accessible to a piece of software over its publicly accessible interface (http in this case), then it is a fair use of that 'third party' (conveniently categorized here as the 'scanning') software. The fact that it does scanning as opposed to downloading and printing is irrelevant. It is a capability of that third-party software, not of the system under discussion. The only capability of the system under discussion is that it was found doing what it should not be doing - a flaw, if you will - and that ought to have nothing to do with how and by whom it was discovered.

Now, arguably, you could say that the site could have listed in its TOS that running the 'scanning' type of softwares is not permissible. But since the definition of what constitutes scanning is very much in air and pretty much impossible to pin down; and add to that the concept of intention (hacking vs security-researcher), and you have made a mess of a simple situation.

Ideally, if the company does not want the 'scanning' type of softwares to be run on their systems; they should do a better job of 'describing' the capabilities they assume the 'scanning' softwares imply, and then code their software to deny those requests.

How did Skytech get his number, or even know it was him "pen testing" without there prior knowledge, and is it only after (or during) that call that he offered to work with them? We are left to figure that the school was quick to contact Skytech, perhaps even passing along an offer/contact info from the student(s) that found problem.

Not sure why the school can't chalk this up as a learning experience since even Skytech didn't press any charges.

Indeed, I doubt even the CIA/NSA/FBI/ETC could correlate an IP address to a phone number blindly within an hour. Certainly not with enough confidence to call and threaten legal action.

It makes me suspicious to a degree of the company, that they called so fast. Though, they may have had his IP flagged from his earlier test (but it sounds like a different test was used anyways).

...All that being said, the fact that he went ahead an used a tool meant for offline use on someone else's production site means either he never read the instructions and isn't quite bright enough to figure out the consequences on his own, he understood the consequences but let the earlier commendation embolden him to jump into stupidville, or perhaps his ego got to him and he jump straight on the Zuckerberg express to bastardville.

Yeah, 'cause he's still a student. Students don't know all the things they need to yet. That's why they're ... students.

Skytech already had all of his personal information. If he was in a dorm, using a university-issued ID, or his IP could be correlated to previous logins it would be trivial to identify who was doing what.

I picked up this sentence from a comment above as describes my biggest issue with this whole line of thing: relying on TOS/EULAs to convey what is permissible and what is not.

People are getting into trouble for using curl and wget? Same query executed by hand is fine but that through a python script becomes ground for prosecution? Doesn't anybody see how fundamentally flawed this is?

Using EULA and TOS (what is the difference anyway!) to enforce policy is the wrong way to go about it. If you don't want unauthorized access, then code your software so that a normal normal user can't create 10K records. This is utter nonsense that your software can allow this, but you add a line in an unrelated section of an unrelated document that would not be in the context at the moment the software would be being used to inform the user that he us not allowed to do as such.

The correct tool to enforce policy is the binary language of the software itself. Create an admin account; only admins can create 10K records for stress and invasive testing. Now if someone 'hacks' the admin account, then you have grounds for pursuing a punishment - clearly the person was unauthorized to have access to the account.

But if your site is open and any software can be run, then by definition it is 'authorized' at the binary level. Your TOS/EULA restrictions is practically a contradiction. One hand hand you are saying don't do this, yet on the other hand your software is exposing that functionality in full that anybody can 'rightfully' (meaning without hacking an account) utilize.

It is software. The policy of usage should be enforced/enforceable at binary-level. It is not TOS/EULA's place to list what is permissible and what is not.

Is there possibly more to this story than what is written here? Of course, I would expect knee-jerk reactions to "hacking" from certain school administrators, but when I read that 14 out of 15 CS professors in a board setting voted to expel him, I had second thoughts.

CS professors aren't idiots; these people actually understand what the guy did, the implications of it, and his possible motivations. Why would they vote to expel him without good reason??

Inidividuals themselves are not often idiots, but when instituted into a "board of directors" often manifest of a level of ineptitude that is incomprehensible. Is it possible they acted towards self-preservation by condemning and scapegoating someone outside of their group for something the group was partly, if not fully, responsible for?

I think it's pretty silly to get worked up about this when you've only heard his side of the story. The University has it's hands tied as they can't discuss the case.

This is a minor point, but Dawson is a CEGEP (in Quebec, high-school ends at Grade 11, and students need to finish a two-year college program before they can apply to an actual university). But yes, one would hope that the CS instructors would still have been able to understand the situation.

IrishMonkee wrote:

Well, if a Canadian school doesn't want to enroll him, I'm sure there are a few US universities/colleges/tech institutions that wouldn't mind having him.

As long as he could afford it. When I went to Dawson, the tuition was in the range of something like a few hundred dollars a semester.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.